View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0015260mantisbtbugtrackerpublic2012-12-05 12:482014-09-23 18:05
Reporterdregad Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.12 
Target Version1.2.13Fixed in Version1.2.13 
Summary0015260: access_get_status_threshold() returns incorrect value for NEW
Description

When the user's access level is below $g_update_bug_status_threshold and the status to change to is NEW, the function returns the incorrect access level, preventing user from accessing the target status when updating bugs, even though the workflow permits it.

Steps To Reproduce

With Mantis default settings (i.e. update_bug_status_threshold = DEVELOPER, login
as UPDATER),

TagsNo tags attached.

Relationships

related to 0015258 closeddregad CVE-2013-1811 Reporter can change issue status to 'new' 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036109

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master-1.2.x 179bfc01

2012-12-06 03:33

dregad


Details Diff		 access_get_status_threshold() returns incorrect value for NEW

When the user's access level is below $g_update_bug_status_threshold and
the status to change to is NEW, the function returned the incorrect
access level, preventing user from accessing the target status when
updating bugs, even though the workflow permits it.

This commit fixes the problem by introducing special handling for NEW
status ('bug_submit_status'), in which case the function returns
'report_bug_threshold' otherwise it falls back to default
'update_bug_status_threshold'.

Fixes 0015260, affects issue 0015258		 Affected Issues
0015258, 0015260
mod - core/access_api.php Diff File

MantisBT: master 53844e36

2012-12-06 03:33

dregad


Details Diff		 access_get_status_threshold() returns incorrect value for NEW

When the user's access level is below $g_update_bug_status_threshold and
the status to change to is NEW, the function returned the incorrect
access level, preventing user from accessing the target status when
updating bugs, even though the workflow permits it.

This commit fixes the problem by introducing special handling for NEW
status ('bug_submit_status'), in which case the function returns
'report_bug_threshold' otherwise it falls back to default
'update_bug_status_threshold'.

Fixes 0015260, affects issue 0015258		 Affected Issues
0015258, 0015260
mod - core/access_api.php Diff File